From owner-freebsd-security@freebsd.org Wed Aug 25 15:35:57 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D22A56764D6 for ; Wed, 25 Aug 2021 15:35:57 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GvqnT1Bj7z3lyp for ; Wed, 25 Aug 2021 15:35:57 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-pg1-x531.google.com with SMTP id q68so68039pga.9 for ; Wed, 25 Aug 2021 08:35:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=TRgiBkU6DrQNum0YDttCQoldaFO4bO2b03h9plMCxYg=; b=LP/nZgZuBtM2SyoECHJGaW9I8X1nkDjD0B+Wk6hhlOK2dIV9nlt+E/8+5oQIYIABmG gzAIw9H3V8FuP9k0U9ZlcmY0nBbu/UTIVW2iWddE36Qkm5I4aQcj97Hv5v6AZdUJ9sHQ UwfOYPnieiU8HJ5PF9rJ+ypcsamwYWzdA+2WIIv4OkK/PzuEfBS2myqOXWD07jPk7mbN U+YP1xuNvilvRMojVPhoGbS7fgm5mGOCH4OZfiBgOZnuPF81zG43dXv3vMJDDFhYk4su s6Sxmbq9EcIm7EjYtqhupFtJ0sGuuFhaRg7SXyJ/vriaYr8MMiiKckwDIeUVmWn6ZGNh Qk8Q== X-Gm-Message-State: AOAM533BvyASRYi7PxhDyi1kjWIRdYe34Gfy7ohTVmxoXc2rMO5Zragc uJGhUbh/79ZacRNRycVcQAWW X-Google-Smtp-Source: ABdhPJwtW6QTWXsYw1c6wwfWlHfDZ9OW0srUxgm9s6pgSWtigL6rBYy6xMcXZVTld11SsrQYEQbOZw== X-Received: by 2002:a05:6a00:c81:b029:30e:21bf:4c15 with SMTP id a1-20020a056a000c81b029030e21bf4c15mr45010600pfv.70.1629905755937; Wed, 25 Aug 2021 08:35:55 -0700 (PDT) Received: from smtpclient.apple (2603-8001-5e40-d300-b929-93db-7d6e-0ae1.res6.spectrum.com. [2603:8001:5e40:d300:b929:93db:7d6e:ae1]) by smtp.gmail.com with ESMTPSA id u7sm62733pju.13.2021.08.25.08.35.55 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Aug 2021 08:35:55 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:16.openssl From: Gordon Tetlow In-Reply-To: Date: Wed, 25 Aug 2021 08:35:54 -0700 Cc: freebsd-security Content-Transfer-Encoding: quoted-printable Message-Id: <7137A3E8-7B53-452B-8187-9F873A68A228@tetlows.org> References: <20210824205300.305BF72EF@freefall.freebsd.org> <44434c22-51c6-92cb-c9de-60fae4764347@sentex.net> To: mike tancsa X-Mailer: Apple Mail (2.3654.120.0.1.13) X-Rspamd-Queue-Id: 4GvqnT1Bj7z3lyp X-Spamd-Bar: - X-Spamd-Result: default: False [-1.49 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[tetlows.org:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=google]; FREEFALL_USER(0.00)[gordon]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::531:from]; HAS_GOOGLE_REDIR(0.01)[]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2021 15:35:57 -0000 > On Aug 25, 2021, at 8:32 AM, mike tancsa wrote: >=20 > On 8/25/2021 11:22 AM, Gordon Tetlow wrote: >> Hi All, >>> Was reading the original advisory at >>> = https://www.google.com/url?q=3Dhttps://www.google.com/url?q%3Dhttps://www.= openssl.org/news/secadv/20210824.txt%26source%3Dgmail-imap%26ust%3D1630497= 552000000%26usg%3DAOvVaw21BGr3aGIh9CKIH3efYzY4&source=3Dgmail-imap&ust=3D1= 630510336000000&usg=3DAOvVaw1DOZPIolrilgltIWdl61D6 and it says >>>=20 >>> "OpenSSL versions 1.0.2y and below are affected by this = [CVE-2021-3712] >>> issue." >>>=20 >>> Does it not then impact RELENG11 ? >>>=20 >>> % openssl version >>> OpenSSL 1.0.2u-freebsd 20 Dec 2019 >>>=20 >>> I know RELENG_11 support ends in about a month, but should it not be >>> flagged ? >> As we don't have a support contract with OpenSSL to get access to = 1.0.2 patches, we could only roll the 1.1.1 patches. >=20 > Hi Gordon, >=20 > I was thinking more in terms of just a mention that RELENG_11 is > indeed vulnerable, no ? I hear you. We don't really have a way of doing that with our existing = SA setup. It's oriented to releasing patches; it is not equipped to = notify users of vulnerabilities that we do not have a patch for. Let me = think on how we might support such a thing and discuss with the team. Thanks, Gordon=